Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

VTech Asks Court to Drop Lawsuit Over Breach Affecting Millions of Kids and Parents

Hong Kong-based educational toy manufacturer VTech is asking a federal court to drop a class-action suit stemming from a breach that exposed the personal information of millions of parents and children.

The litigation is a consolidation of five separate lawsuits, all arising out of the November 2015 data breach. In the incident, an unauthorized party accessed customer data held in its Learning Lodge app store database, a service that lets parents limit their children’s internet access and track their learning progress.

The exposed information included customers’ names, email addresses, encrypted passwords, secret questions and answers for password retrieval, IP addresses, mailing addresses and download history. The data also included photos and the first names, genders and birthdays of as many as 200,000 children. Those kids could theoretically be linked to their breached parents, exposing their full identities and giving predators a potential roadmap to physically stalk them.

The firm has never revealed how many customers could be affected, but some reports put the figure at close to five million adults.  

The company has filed its motion for dismissal in an Illinois federal court, focusing in on one part of one complaint that seeks compensation for the VTech devices themselves, which the plaintiffs claim have lost value thanks to the data breach.

VTech argued that the devices have little to do with the online database that was attacked, and that buying the devices represents a “separate and distinct” transaction. The devices are not malfunctioning, so, the company said, the claims are specious.

VTech has not painted itself as especially consumer-friendly in the wake of the breach. In 2016, the company updated the Limitation of Liability section in its terms and conditions to place responsibility for data protection back on consumers. It reads, in caps:

“YOU ACKNOWLEDGE AND AGREE THAT YOU ASSUME FULL RESPONSIBILITY FOR YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM. YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES. YOU ACKNOWLEDGE AND AGREE THAT YOUR USE OF THE SITE AND ANY SOFTWARE OR FIRMWARE DOWNLOADED THEREFROM IS AT YOUR OWN RISK.”

What’s Hot on Infosecurity Magazine?